Fixing ptrace(pt_deny_attach, ...)

10 Oct 2004, 13:13 PDT

NOTE: For information on Mac OS X Tiger, refer to this article.

In Mac OS X, Apple introduced an additional, non-standard request type to the ptrace() system call - PT_DENY_ATTACH. While an understandable addition, especially in terms of providing plausible defense for their DRM applications, PT_DENY_ATTACH has come to be used by a number of third party developers in an attempt to provide further copy protection.

This is unfortunate for those of us with a genuine need to attach a debugger; There are several circumstances when this ability is necessary, including working with libSystem, writing a runtime patch with APE, writing a kext, writing an input manager, or software auditing.

There are several possible ways to work around this behavior; breaking on ptrace(2) in gdb, recompiling your kernel, or writing a kext. I choose to write a kext that hooks ptrace(2).

Read more ...